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March  23, 1999 

MEMORANDUM  FOR  DIRECTOR,  DEFENSE  FINANCE  AND  ACCOUNTING 

SERVICE 

SUBJECT:  Audit  Report  on  Application  Controls  Over  the  Annuitant  Pay  Subsystem  at 
the  Defense  Finance  and  Accounting  Service  Denver  Center 
(Report  No.  99-110) 


We  are  providing  this  report  for  information  and  use.  The  audit  was  conducted  in 
support  of  our  financial  statement  audits  required  by  the  Chief  Financial  Officers  Act  of 
1990  and  the  Federal  Financial  Management  Act  of  1994.  This  is  the  second  of  two 
reports  being  issued  on  the  Defense  Retiree  and  Annuitant  Pay  System.  We  considered 
management  comments  on  a  draft  of  this  report  in  preparing  the  final  report. 

The  Defense  Finance  and  Accounting  Service  comments  conformed  to  the 
requirements  of  DoD  Directive  7650.3;  therefore,  additional  comments  are  not  required. 

We  appreciate  the  courtesies  extended  to  the  audit  staff.  Questions  on  the  audit 
should  be  directed  to  Ms.  Kimberley  A.  Caprio  at  (703)  604-9139  (DSN  664-9139), 
(kcaprio@dodig.osd.mil),  or  Mr.  Dennis  L.  Conway  at  (703)  604-9158  (DSN  664-9158), 
(dconway@dodig.osd.mil).  See  Appendix  E  for  the  report  distribution.  Audit  team 
members  are  listed  inside  the  back  cover. 

o8vaHcL/^, 

David  K.  Steensma 
Deputy  Assistant  Inspector  General 
for  Auditing 
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Application  Controls  Over  the  Annuitant  Pay  Subsystem 
at  the  Defense  Finance  and  Accounting  Service 
Denver  Center 


Executive  Summary 


Introduction.  The  audit  was  conducted  to  support  our  audits  required  by  the  Chief 
Financial  Officers  Act  of  1990  and  the  Federal  Financial  Management  Act  of  1994.  This 
is  the  second  of  two  reports  resulting  from  our  audit  of  the  Defense  Retiree  and  Annuitant 
Pay  System.  This  report  addresses  our  review  of  the  application  controls  over  the 
Defense  Finance  and  Accounting  Service  (DFAS)  Denver  Center’s  Annuitant  Pay 
Subsystem,  one  of  two  subsystems  in  the  Defense  Retiree  and  Annuitant  Pay  System.  A 
separate  report  addresses  our  review  of  application  controls  over  the  DFAS  Retiree  and 
Casualty  Pay  Subsystem.  DFAS  requested  that  we  issue  separate  reports  on  these 
subsystems. 

The  Annuitant  Pay  Subsystem  accounted  for  over  257,000  annuitants  and  disbursed  an 
average  of  $141 .4  million  per  month  from  the  DoD  Military  Retirement  Trust  Fund  in 
FY  1998.  Because  of  the  high  volume  and  dollar  value  of  transactions  processed, 
effective  controls  over  the  Annuitant  Pay  Subsystem  are  essential  to  ensure  authorized, 
accurate,  complete,  and  reliable  annuitant  pay  data  for  the  Military  Retirement  Trust 
Fund. 

Objectives.  The  overall  objective  was  to  evaluate  general  and  application  controls  over 
the  Defense  Retiree  and  Annuitant  Pay  System  to  ensure  authorized,  accurate,  complete, 
and  reliable  data.  This  report  addresses  our  review  of  selected  application  controls  over 
the  Annuitant  Pay  Subsystem.  In  a  previous  report,  we  discussed  selected  application 
controls  over  the  Retiree  and  Casualty  Pay  subsystem.  (Application  controls  are  the 
policies  and  procedures  that,  when  implemented,  provide  assurance  that  transactions  are 
valid,  properly  authorized,  and  completely  and  accurately  processed.)  We  also  reviewed 
the  management  control  program  as  it  related  to  the  Annuitant  Pay  Subsystem. 

Results.  The  DFAS  Denver  Center  had  not  fully  implemented  or  maintained  controls 
over  the  accuracy  of  information  in  the  Annuitant  Pay  Subsystem.  Controls  could  be 
improved  by  documenting  reviews  and  taking  more  timely  corrective  actions  on  reports 
containing  rejected  or  potentially  erroneous  transactions.  Although  our  review  did  not 
detect  unauthorized  or  fraudulent  activity,  implementation  of  these  controls  will  increase 
managers’  confidence  that  annuity  payments  are  accurate. 

DFAS  had  implemented  controls  to  ensure  that  transactions  were  authorized,  complete, 
and  reliable  before  making  payments  to  annuitants.  However,  additional  management 
controls  recommended  in  this  report  will  better  assure  DFAS  that  erroneous  or  rejected 


data  can  be  detected  timely  to  prevent  or  correct  misstatements  in  the  financial  statements 
of  the  Military  Retirement  Trust  Fund.  See  Appendix  A  for  details  on  the  management 
control  program  and  the  Finding  for  a  discussion  of  the  audit  results. 

Summary  of  Recommendations.  We  recommend  that  the  Director,  DFAS  Denver 
Center,  enforce  procedures  for  making  timely  reviews  on  reports  of  rejected  and 
erroneous  data  and  include  supervisors  in  the  review  process. 

Management  Comments.  The  Director  of  Finance,  DFAS,  concurred,  and  the  Director, 
DFAS  Denver  Center,  implemented  additional  requirements  to  ensure  that  more  timely 
reviews  are  performed  on  reports  of  rejected  and  erroneous  data  and  supervisory  reviews 
are  documented.  A  discussion  of  management  comments  is  in  the  Finding  section  of  the 
report  and  the  complete  text  is  in  the  Management  Comments  section. 
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Background 


This  is  the  second  of  two  reports  resulting  from  our  audit  of  the  Defense  Retiree 
and  Annuitant  Pay  System.  The  audit  was  conducted  to  support  our  audits 
required  by  the  Chief  Financial  Officers  Act  of  1990  and  the  Federal  Financial 
Management  Act  of  1994.  A  separate  report  addresses  our  review  of  application 
controls  over  the  Defense  Finance  and  Accounting  Service  (DFAS)  Retiree  and 
Casualty  Pay  Subsystem.  DFAS  requested  that  we  issue  separate  reports  on  these 
subsystems. 

On  August  8, 1991,  the  DoD  Corporate  Information  Management  Financial 
Management  Steering  Committee  approved  the  DFAS  proposal  to  standardize  and 
consolidate  DoD  retiree  and  annuitant  pay  systems. 

The  DFAS  Cleveland  Center’s  Retired  Pay  System  and  the  DFAS  Denver 
Center’s  Annuitant  Pay  System  were  integrated  as  the  Defense  Retiree  and 
Annuitant  Pay  System  (DRAS).  The  DFAS  Cleveland  Center’s  Retired  Pay 
System  was  renamed  the  Retiree  and  Casualty  Pay  Subsystem,  and  the  DFAS 
Denver  Center’s  Annuitant  Pay  System  was  renamed  the  Annuitant  Pay 
Subsystem. 

Retiree  and  annuitant  pay  transactions  are  processed  on  computers  managed  by 
the  Defense  Information  Systems  Agency  (DISA).  The  DISA  Defense 
Megacenter,  Chambersburg,  Pennsylvania,  processes  transactions  for  the  DFAS 
Cleveland  Center’s  Retiree  and  Casualty  Pay  Subsystem.  The  DISA  Defense 
Megacenter,  Denver,  Colorado,  processes  transactions  for  the  DFAS  Denver 
Center’s  Annuitant  Pay  Subsystem. 

This  report  discusses  our  review  of  selected  application  controls  over  the  DFAS 
Denver  Center’s  Annuitant  Pay  Subsystem.  Application  controls  are  the  policies 
and  procedures  that,  when  implemented,  provide  assurance  that  transactions  are 
valid,  properly  authorized,  and  completely  and  accurately  processed.  The 
Annuitant  Pay  Subsystem  was  used  to  account  for  over  257,000  annuitants  and  to 
disburse  a  monthly  average  of  $141 .4  million  from  the  DoD  Military  Retirement 
Trust  Fund  in  FY  1998. 


Objectives 

The  overall  objective  was  to  evaluate  general  and  application  controls  over  the 
DRAS  to  ensure  authorized,  accurate,  complete,  and  reliable  data.  This  report 
addresses  our  review  of  selected  application  controls  over  the  Annuitant  Pay 
Subsystem.  We  also  reviewed  the  management  control  program  for  the  Annuitant 
Pay  Subsystem. 

See  Appendix  A  for  discussion  of  the  audit  scope  and  methodology,  and 
Appendix  B  for  a  summary  of  prior  coverage  related  to  the  audit  objectives. 
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Controls  Over  the  Annuitant  Pay 
Subsystem 

The  DFAS  Denver  Center  did  not  fully  implement  or  maintain  controls 
over  the  accuracy  of  information  in  the  Annuitant  Pay  Subsystem. 
Personnel  at  the  DFAS  Denver  Center  either  did  not  always  make  timely 
reviews  or  did  not  document  their  reviews  on  reports  containing  rejection 
and  potentially  erroneous  transactions,  which  affected  their  ability  to 
ensure  that  the  annuitant  accounts  were  accurate.  This  occurred  because 
managers  at  the  DFAS  Denver  Center  did  not  consistently  enforce  timely 
reviews.  Without  proper  controls  over  vital  reports  produced  by  the 
Annuitant  Pay  Subsystem,  there  is  increased  risk  that  erroneous  or 
fraudulent  transactions  will  not  be  detected  timely  to  prevent  or  correct 
misstatements  in  the  annuitant  pay  records  or  the  financial  statements  of 
the  Military  Retirement  Trust  Fund. 


Guidance  for  Internal  Control  Systems 

Office  of  Management  and  Budget  (OMB)  Circular  No.  A-127,  “Financial 
Management  Systems,”  June  23,  1993,  states  that  financial  management  systems 
shall  include  a  system  of  internal  controls  to  ensure  that  reliable  data  are  obtained, 
maintained,  and  disclosed  in  reports. 

OMB  Circular  No.  A-127  also  states  that  agencies  shall  apply  appropriate  internal 
controls  to  all  system  inputs,  processing,  and  outputs,  in  accordance  with  OMB 
Circular  No.  A- 123,  “Management  Accountability  and  Control,”  June  21,  1995. 
OMB  Circular  No.  A-123  requires  that  management  controls  be  established  to 
ensure  that  revenues  and  expenditures  are  properly  recorded  and  accounted  for, 
and  that  reliable  and  timely  information  is  collected  and  properly  maintained. 

To  implement  adequate  management  controls,  DoD  should  ensure  that  minimum 
controls  exist  within  an  application  system.  (An  application  system  is  a  group  of 
computer  programs  that  process  data  for  a  function  such  as  annuity  payroll.) 
Application  controls  are  the  policies  and  procedures  that,  when  implemented, 
provide  assurance  that  transactions  are  valid,  properly  authorized,  and  completely 
and  accurately  processed.  The  four  major  categories  of  application  controls  are: 

•  authorization  controls, 

•  completeness  controls, 

•  accuracy  controls,  and 

•  controls  over  the  integrity  of  processing  and  data  files. 

See  Appendix  D  for  a  definition  of  the  major  categories  of  application  controls. 
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Controls  Over  the  Accuracy  of  Annuitant  Information 


DFAS  had  implemented  controls  to  ensure  that  transactions  were  authorized, 
complete,  and  reliable  before  making  payments  to  annuitants.  However,  the 
DFAS  Denver  Center  did  not  fully  implement  or  maintain  controls  over  the 
accuracy  of  annuitant  information  in  the  Annuitant  Pay  Subsystem.  Personnel  at 
the  DFAS  Denver  Center  either  did  not  always  make  timely  reviews  or  did  not 
document  their  reviews  on  reports  containing  rejection  and  potentially  erroneous 
transactions,  which  affected  the  ability  to  determine  whether  the  annuitants’  pay 
accounts  were  accurate.  The  DFAS  Denver  Center  produces  a  total  of  295  daily, 
monthly,  quarterly,  and  annual  management  reports,  including  rejection  and  error 
reports. 

We  judgmentally  selected  five  reports  that  could  have  the  most  significant  impact 
on  the  reliability  of  the  financial  statements  and  the  Annuitant  Pay  Subsystem  if 
information  was  inaccurate  or  incomplete.  These  reports  were  important  controls 
for  reducing  the  risk  of  unauthorized  or  fraudulent  activity  because  they  identified 
rejections,  errors,  and  duplicate  data  for  annuitant  accounts;  account  modifications 
without  audit  trails;  and  abnormally  large  payments  or  payments  made  on  other 
than  the  normal  paydays.  Supervisors  at  the  DFAS  Denver  Center  did  not: 

•  follow  management  policy  during  reviews  of  critical  reports,  or 

•  make  timely  reviews  on  reports  containing  rejections  and  potentially 
erroneous  annuitant  data. 

Management  Policy  for  Reviewing  Reports.  Managers  at  the  DFAS  Denver 
Center  established  policies  for  reviewing  reports  containing  rejected  and 
potentially  erroneous  transactions,  and  implemented  a  quality  examination 
program  to  assess  and  improve  the  quality  of  work  in  the  Annuitant  Pay 
Directorate.  However,  reports  containing  rejection  and  potentially  erroneous 
annuitant  data  were  not  always  reviewed  according  to  those  policies. 

•  DFAS  Denver  Center  management  established  a  policy  for  following 
up  on  transactions  not  reviewed  promptly.  The  100  Percent  Review 
Tasks  Not  Reviewed  Report  was  developed  to  implement  this  policy. 
Unreviewed  transactions  were  listed  once  in  a  weekly  report  and  once 
in  a  monthly  report.  Whether  the  transactions  were  reviewed  or  not, 
subsequent  reports  did  not  include  those  transactions. 

We  identified  approximately  66,000  transactions  occurring  between 
November  1996  and  December  1997  that  were  not  reviewed  promptly. 
As  shown  in  the  following  chart,  these  transactions  could  have  a 
significant  impact  on  the  accuracy  of  annuitant  payments. 
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Transactions  Not  Reviewed 


Impact  of  Transactions  on  Annuitant  Payments 

Number  of  Unreviewed 
Transactions 

Undates  annuity  amount  used  in  commitine  monthly  navment 

2.025 

Chanees  DVA*  comoensation  affecting  amount  Daid  to  annuitant 

1 

Changes  date  of  death  and  could  affect  amount  Daid  to  annuitant 

558 

Survivor  benefit  election  can  affect  amount  naid  to  annuitant 

3.138 

16.711 

Modifies  retiree  information  used  in  calculating  annuity  navment 

1.392 

Affects  DVA*  deduction  from  annuity  oav 

6.138 

Adiusts  other  income  amounts  and  affects  annuity  nav 

59 

Permits  adjustments  to  nav  records  that  bvnass  system  controls 

12.848 

Allows  modification  of  oav  record  without  an  audit  trail 

3.286 

Creates  a  one-time  navment  for  a  new  annuitant 

593 

Chanees  eligibility  of  snouse  to  receive  annuity  navment 

1 

Affects  entitlement  to  Social  Security  and  amount  of  annuity  navment 

1.868 

Provides  a  control  over  establishment  of  new  annuity  account 

17.141 

Terminates  DVA*  deduction  and  increases  amount  of  annuity  navments 

26 

Total  Transactions  Not  Reviewed 

65.785 

‘Department  of  Veterans  Affairs 


Without  more  timely  reviews,  DFAS  Denver  Center  managers  cannot 
be  assured  that  annuitant  pay  accounts  are  accurate  or  that  unauthorized 
or  fraudulent  activity  has  not  occurred. 

•  The  “  Veterans  Administration  Interchange  Bump  Report”  listed  the 
annuity  pay  accounts  eligible  for  Department  of  Veterans  Affairs 
(DVA)  payments;  however,  the  amounts  shown  on  the  DVA  records 
did  not  match  the  amounts  reflected  in  the  annuitants’  accounts  on  the 
Annuitant  Pay  System.  DFAS  technicians  must  review  the  accounts 
listed  on  this  report  to  ensure  that  the  accounts  are  not  over-  or 
underpaid.  Accounts  remain  on  the  report  until  the  technicians  take 
corrective  actions. 

Using  a  computer  program  developed  by  the  Annuity  Pay  Directorate, 
we  determined  that  64  out  of  803  accounts  (8  percent)  required  review 
and  were  outstanding  for  more  than  1  month.  Managers  at  the  DFAS 
Denver  Center  could  ensure  more  accurate  annuitant  pay  records  by 
requiring  technicians  to  perform  more  timely  reviews  on  these 
accounts. 

The  Annuity  Pay  Directorate’s  Systems  Division  produced  a  monthly 
“  Database  Clean-up  Report”  to  identify  discrepancies  in  the  annuitant 
accounts.  Technicians  in  the  Special  Actions  Branch  were  responsible 
for  reviewing  the  accounts  on  the  report  and  making  corrections.  After 
the  technicians  completed  their  review,  the  Systems  Division  generated 
another  “Database  Clean-up  Report”  to  verify  that  the  conditions 
causing  the  discrepancies  no  longer  existed.  However,  accounts 
requiring  no  corrective  action  (based  on  the  technician’s  initial  review) 
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also  appeared  on  the  second  “Database  Clean-Up  Report.”  DFAS 
managers  could  not  verify  that  the  accounts  shown  on  the  second  report 
had  been  reviewed. 

Use  of  Rejection  and  Error  Reports.  Although  the  DFAS  Denver  Center 
frequently  produced  rejection  and  error  reports,  management  did  not  require 
reviews  for  two  of  the  reports  we  selected. 

•  The  “Veterans  Administration  Interchange  Social  Security  Number 
Reject  Report”  identified  personnel  on  the  DVA  records  who  had 
Social  Security  numbers  not  found  on  the  Annuitant  Pay  Subsystem. 
DFAS  standard  operating  procedures  required  technicians  to  advise  the 
DVA  that  these  personnel  were  not  recorded  on  the  Annuitant  Pay 
Subsystem  and  to  request  additional  information.  However, 
management  stated  that  they  were  disregarding  this  report  because  it 
was  relatively  common  for  annuitants  to  receive  a  DVA  payment  and 
not  appear  on  the  Annuitant  Pay  Subsystem. 

During  the  audit,  management  issued  a  memorandum  stating  that  the 
current  high  workload  and  limited  number  of  personnel  prohibited 
effective  use  of  this  report;  therefore,  the  report  would  be  discontinued. 
Also,  management  stated  that  compensating  controls  were  in  place  that 
provided  necessary  DVA  payment  data  for  ensuring  the  accuracy  of  the 
Annuitant  Pay  Subsystem.  We  will  review  these  controls  during  the 
audit  followup  process. 

•  The  “  Duplicate  Social  Security  Numbers  on  the  Mail  Image  Routing 
and  Optical  Recording  System  Report”  listed  annuitant  accounts  that 
were  associated  with  two  different  retirees.  Often,  this  situation 
occurred  if  an  annuitant  had  been  married  to  more  than  one  retiree. 
Although  the  annuitant  did  not  receive  multiple  payments  as  a  result  of 
the  death  of  more  than  one  retiree,  this  report  showed  multiple  accounts 
for  the  annuitant.  The  annuitant  pay  technician  suspended  payments  to 
the  annuitant  until  one  of  the  retirees’  accounts  was  selected  for  pay. 
After  a  selection  was  made,  the  annuitant  pay  technician  started  pay 
based  on  the  retiree  account  selected. 

This  report  was  scheduled  for  monthly  review;  however,  since  no  prior 
reports  were  on  file,  we  could  not  determine  the  most  recent  report 
reviewed.  Management  at  the  DFAS  Denver  Center  acknowledged  the 
need  to  research  accounts  containing  duplicate  Social  Security  numbers 
and  resumed  the  review  of  this  report  during  our  audit. 


Conclusion 


The  absence  of  controls  over  the  accuracy  of  data  in  the  Annuitant  Pay  Subsystem 
increases  the  possibility  for  unauthorized  or  fraudulent  activity  to  occur  and  not  be 
detected  promptly  to  prevent  misstatements  in  the  financial  statements  of  the 
Military  Retirement  Trust  Fund.  The  absence  of  these  controls  also  lowers  the 
confidence  that  managers  can  place  on  the  accuracy  of  annuitant  payments. 

The  DFAS  Denver  Center  has  established  a  quality  examination  program  in  the 
Annuitant  Pay  Directorate  to  assess  and  improve  the  quality  of  work  performed  by 
technicians.  However,  transactions  were  not  always  reviewed;  therefore,  a  higher 
potential  existed  for  undetected  errors  in  the  annuitant  pay  accounts. 

The  Director,  DFAS  Denver  Center,  would  have  greater  assurance  that  application 
controls  have  been  implemented  and  maintained  if  supervisory  reviews  were 
documented  and  required  as  part  of  the  quality  examination  program. 


Recommendations  and  Management  Comments 


We  recommend  that  the  Director,  Defense  Finance  and  Accounting  Service, 
Denver  Center: 

1.  Enforce  procedures  for  making  timely  reviews  on  all  reports 
containing  rejections  and  potentially  erroneous  transactions  generated  from 
the  Annuity  Pay  Subsystem. 

DFAS  Comments.  DFAS  concurred,  stating  that  corrective  actions  were 
completed  on  January  30, 1999.  The  Director,  DFAS  Denver  Center,  will  use  a 
Management  Information  System  chart  to  list  all  monthly  reviews  and  track  the 
date  each  review  was  completed. 

2.  Include  supervisors  in  the  quality  examination  program  and 
require  supervisors  to  document  reviews  of  reports  containing  rejections  and 
potentially  erroneous  transactions. 

DFAS  Comments.  DFAS  concurred,  stating  that  corrective  actions  were 
completed  on  January  30, 1999.  The  Director,  DFAS  Denver  Center,  will  require 
supervisors  to  document  and  review  all  reports. 
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Appendix  A.  Audit  Process 


Scope  and  Methodology 


The  scope  of  the  audit  included  reviews  of  application  controls  for  the  Annuitant 
Pay  Subsystem  of  the  DRAS.  Specifically,  we: 

•  reviewed  rejection  and  error  reports, 

•  evaluated  controls  over  the  authorization  of  transactions, 

•  evaluated  controls  for  the  detection  of  input  errors, 

•  reviewed  written  procedures  for  annuity  pay  operations, 

•  evaluated  controls  for  ensuring  that  information  processed  by  the 
system  was  complete  and  accurate,  and 

•  reviewed  procedures  for  verifying  the  completeness  of  account  updates. 

We  also  reviewed  policies  and  procedures  for  establishing  and  maintaining 
application  controls.  This  guidance  was  provided  in  regulations,  directives, 
circulars,  or  standards  developed  by  OMB  and  DoD. 

The  Annuitant  Pay  Subsystem  processed  transactions  for  over  257,000  annuitants 
and  disbursed  a  monthly  average  of  $141 .4  million  from  the  DoD  Military 
Retirement  Trust  Fund  in  FY  1998. 

DoD-wide  Corporate-Level  Government  Performance  and  Results  Act  Goals. 
In  response  to  the  Government  Performance  and  Results  Act,  the  Department  of 
Defense  has  established  6  DoD-wide  corporate-level  performance  objectives  and 
14  goals  for  meeting  these  objectives.  This  report  pertains  to  achievement  of  the 
following  objective  and  goal. 

Objective:  Fundamentally  reengineer  DoD  and  achieve  a  21st  century 
infrastructure.  Goal:  Reduce  costs  while  maintaining  required 
military  capabilities  across  all  DoD  mission  areas.  (DoD-6) 

DoD  Functional  Area  Reform  Goals.  Most  major  DoD  functional  areas  have 
also  established  performance  improvement  reform  objectives  and  goals.  This 
report  pertains  to  the  achievement  of  the  following  functional  area  objectives  and 
goals. 


•  Financial  Management  Functional  Area.  Objective:  Strengthen 
internal  controls.  Goal:  Improve  compliance  with  the  Federal 
Managers’  Financial  Integrity  Act.  (Financial  Management-5.3) 
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•  Information  Technology  Management  Functional  Area. 

Objective:  Provide  services  that  satisfy  customer  information  needs. 
Goal:  Improve  information  technology  management  tools. 
(Information  Technology  Management-2.4) 

General  Accounting  Office  High-Risk  Area.  The  General  Accounting  Office 
has  identified  several  high-risk  areas  in  DoD.  This  report  provides  coverage  of 
the  Defense  Financial  Management  and  the  Information  Management  and 
Technology  high-risk  areas. 

Use  of  Computer-Processed  Data.  We  relied  on  computer-processed  data  from 
the  Annuitant  Pay  Subsystem  to  determine  the  adequacy  of  the  application 
controls.  Although  we  did  not  perform  a  formal  reliability  assessment  of  the 
computer-processed  data,  the  documentation  we  obtained  generally  agreed  with 
the  computer-processed  data.  We  did  not  find  errors  that  would  preclude  use  of 
the  computer-processed  data  to  meet  the  audit  objectives  or  that  would  change  the 
conclusions  in  the  report. 

Review  Period  and  Standards.  We  performed  this  financial-related  audit  from 
December  1997  through  October  1998  in  accordance  with  auditing  standards 
issued  by  the  Comptroller  General  of  the  United  States,  as  implemented  by  the 
Inspector  General,  DoD.  Accordingly,  we  included  tests  of  management  controls 
considered  necessary. 

Contacts  During  the  Audit.  We  visited  or  contacted  individuals  and 
organizations  within  DoD.  Further  details  are  available  on  request. 


Management  Control  Program 


DoD  Directive  5010.38,  “Management  Control  (MC)  Program,”  August  26, 

1996,  requires  DoD  organizations  to  implement  a  comprehensive  system  of 
management  controls  that  provides  reasonable  assurance  that  programs  are 
operating  as  intended  and  to  evaluate  the  adequacy  of  the  controls. 

Scope  of  Review  of  Management  Control  Program.  The  scope  of  review  of  the 
management  control  program  included  reviews  on  the  adequacy  of  application 
controls  over  the  Annuitant  Pay  Subsystem.  Specifically,  the  review  evaluated 
DFAS  management  controls  over  authorization,  completeness,  accuracy,  and 
integrity  of  processing  and  data  files.  Because  we  did  not  identify  a  material 
weakness,  we  did  not  assess  management’s  self-evaluation. 

Adequacy  of  Management  Controls.  Management  controls  were  adequate  in 
that  we  identified  no  material  management  control  weakness.  See  Appendix  C  for 
information  on  the  Vulnerability  Analysis  and  Assessment  Program. 
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Also,  DoD  Regulation  7000. 14-R,  the  “DoD  Financial  Management  Regulation,” 
volume  1,  “General  Financial  Management  Information,  Systems,  and 
Requirements,”  May  1993,  states  that  general  ledger  and  personnel  records  will 
be  reconciled  to  payroll  records.  Currently,  the  Annuitant  Pay  Subsystem  does 
not  interface  with  military  personnel  systems  to  verily  the  integrity  of  the  data 
received.  However,  the  Defense  Manpower  Data  Center  is  developing  an 
automated  method  for  matching  a  retiree’s  Social  Security  number,  recorded  on 
the  annuitant  pay  file,  with  the  Military  Department  personnel  file. 
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Appendix  B.  Summary  of  Prior  Coverage 


Seven  Inspector  General,  DoD,  reports  covered  issues  related  to  this  audit. 


Inspector  General 


Inspector  General,  DoD,  Report  No.  97-177,  “Internal  Controls  and  Compliance 
With  Laws  and  Regulations  for  the  DoD  Military  Retirement  Trust  Fund 
Financial  Statements  for  FY  1996,”  June  25, 1997. 

Inspector  General,  DoD,  Report  No.  97-052,  “Vendor  Payments  -  Operation 
Mongoose,  Fort  Belvoir  Defense  Accounting  Office  and  Rome  Operating 
Location,”  December  23, 1996. 

Inspector  General,  DoD,  Report  No.  96-175,  “  Computer  Security  Over  the 
Defense  Joint  Military  Pay  System,”  June  25, 1996. 

Inspector  General,  DoD,  Report  No.  96-124,  “Selected  General  Controls  Over  the 
Defense  Business  Management  System,”  May  21, 1996. 

Inspector  General,  DoD,  Report  No.  96-053,  “Follow-up  Audit  of  Controls  Over 
Operating  System  and  Security  Software  and  Other  General  Controls  for 
Computer  Systems  Supporting  the  Defense  Finance  and  Accounting  Service,” 
January  3,  1996. 

Inspector  General,  DoD,  Report  No.  95-263,  “Controls  Over  Operating  System 
and  Security  Software  and  Other  General  Controls  for  Computer  Systems 
Supporting  the  Defense  Finance  and  Accounting  Service,”  June  29,  1995. 

Inspector  General,  DoD,  Report  No.  94-060,  “  General  Controls  for  Computer 
Systems  at  the  Information  Processing  Centers  of  the  Defense  Information 
Services  Organization,”  March  18, 1994. 
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Appendix  C.  Vulnerability  Analysis  and 

Assessment  Program 

General  Accounting  Office  Report  No.  AIMD-96-84  (OSD  Case  No.  1 150), 

“  Information  Security:  Computer  Attacks  at  Department  of  Defense  Pose 
Increasing  Risk,”  May  1996,  states  that  based  on  information  obtained  from 
DISA,  DoD  may  have  experienced  as  many  as  250,000  computer  attacks  in  prior 
years.  Of  that  number,  approximately  65  percent  may  have  been  successful.  The 
number  of  attacks  is  likely  to  increase  in  the  future,  as  Internet  use  increases  along 
with  the  sophistication  of  hackers  and  their  tools. 

Currently,  no  DoD-wide  policy  requires  vulnerability  assessments  or  criteria  for 
prioritizing  the  areas  exposed  to  the  highest  risk  of  attack.  However,  DISA 
established  a  Vulnerability  Analysis  and  Assessment  Program  in  1992  to  identify 
vulnerabilities  in  DoD  information  systems.  A  DISA  team  is  authorized  to  test 
any  system  supported  by  the  DISA  network  without  first  notifying  personnel  at 
the  site.  Testing  of  systems  external  to  DISA  is  performed  on  request  only. 

During  this  audit,  we  reviewed  the  use  of  the  Vulnerability  Analysis  and 
Assessment  Program  at  the  DISA  Defense  Megacenters  that  process  transactions 
for  DRAS.  (DRAS  consists  of  two  subsystems,  the  Retiree  and  Casualty  Pay 
Subsystem  and  the  Annuitant  Pay  Subsystem.)  DISA  processed  the  transactions 
for  DRAS  at  its  Defense  Megacenters  in  Chambersburg,  Pennsylvania,  and 
Denver,  Colorado.  Transactions  for  the  Annuitant  Pay  Subsystem  were  processed 
on  a  mainframe  computer  at  the  Defense  Megacenter  in  Denver. 

Although  DISA  has  tested  6  of  the  16  Defense  Megacenters  for  vulnerabilities, 
testing  has  not  begun  at  the  Defense  Megacenter  in  Denver.  If  individuals  with 
wrongful  intentions  are  able  to  exploit  weaknesses  at  the  Megacenter  in  Denver, 
the  Annuitant  Pay  Subsystem  could  be  disrupted,  affecting  payments  to  over 
257,000  annuitants.  Also,  because  the  Annuitant  Pay  Subsystem  disbursed  a 
monthly  average  of  $141 .4  million  from  the  DoD  Military  Retirement  Trust  Fund 
in  FY  1998,  the  financial  statements  of  the  DoD  Military  Retirement  Trust  Fund 
could  be  materially  affected. 

DISA  managers  stated  that  they  plan  to  complete  the  Vulnerability  Analysis  and 
Assessment  Program  for  all  Defense  Megacenters  by  May  2000.  DISA  must 
follow  through  with  this  plan  to  prevent  any  potential  security  problems  and  to 
protect  the  integrity  of  DRAS. 
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Appendix  D.  Major  Categories  of  Application 

Controls 


We  evaluated  four  major  categories  of  application  controls.  Those  categories 
included  controls  over  the  authorization,  completeness,  accuracy,  and  integrity  of 
processing  and  data  files. 

Authorization  Controls.  These  controls  are  closely  associated  with 
management’s  declaration  on  financial  statements  (commonly  called 
management’s  assertions)  concerning  the  validity  of  transactions  and  the  actual 
occurrence  of  transactions  in  a  given  period. 

Completeness  Controls.  These  controls  relate  directly  to  management’s 
assertion  on  the  completeness  of  transactions,  that  is,  whether  all  valid 
transactions  are  recorded  and  properly  classified. 

Accuracy  Controls.  Accuracy  controls  relate  directly  to  management’s  assertion 
that  transactions  are  recorded  at  the  correct  amounts.  These  controls  are  not 
limited  to  financial  information,  but  also  address  the  accuracy  of  other  data. 

Controls  Over  Integrity  of  Processing  and  Data  Files.  Integrity  controls,  if 
deficient,  could  nullify  each  of  the  above  types  of  controls,  allow  the  occurrence 
of  unauthorized  transactions,  and  cause  data  to  be  incomplete  and  inaccurate. 
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Appendix  E.  Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  (Comptroller) 

Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and  Intelligence) 
Assistant  Secretary  of  Defense  (Public  Affairs) 

Director,  Defense  Logistics  Studies  Information  Exchange 


Department  of  the  Army 

Auditor  General,  Department  of  the  Army 


Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Navy 
Superintendent,  Naval  Postgraduate  School 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 


Defense  Organizations 

Director,  Defense  Contract  Audit  Agency 
Director,  Defense  Finance  and  Accounting  Service 

Director,  Defense  Finance  and  Accounting  Service  Denver  Center 
Director,  Defense  Information  Systems  Agency 
Director,  Defense  Logistics  Agency 
Director,  National  Security  Agency 

Inspector  General,  National  Security  Agency 
Inspector  General,  Defense  Intelligence  Agency 
Defense  Systems  Management  College 
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Non-Defense  Federal  Organizations 

Office  of  Management  and  Budget 
General  Accounting  Office 

National  Security  and  International  Affairs  Division 
Technical  Information  Center 


Congressional  Committees  and  Subcommittees,  Chairman  and 
Ranking  Minority  Member 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  Defense,  Committee  on  Appropriations 
House  Committee  on  Armed  Services 
House  Committee  on  Government  Reform 

House  Subcommittee  on  Government  Management,  Information,  and  Technology, 
Committee  on  Government  Reform 

House  Subcommittee  on  National  Security,  Veterans  Affairs,  and  International  Relations, 
Committee  on  Government  Reform 


Non-Government  Organizations 

Deloitte  and  Touche  LLP 
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Defense  Finance  and  Accounting  Service 
Comments 


DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE 


1  V3t  JEFFERSON  PAVIS  HIGHWAY 
ARLINGTON.  VA  22340-3191 


FEB  25  1999 


DFAS-HQ/FWM 


MEMORANDUM  FOR  DIRECTOR,  FINANCE  AND  ACCOUNT INS  D1RE0T0PATS, 

OFFICE  OF  THE  INSPECTOR  GENERAL,  DEPARTMENT 
OF  DEFENSE 

SUBJECT!  DoDIG  Draft  Report,  "Application  Control  Over  the 

Annuitant  Fay  Subsystem  at  the  Defense  Finance 
and  Accounting  Service  Denver  Center"  dated 
November  23,  1998,  (Project  No.  89FG-5010. 01} 

Ne  have  reviewed  the  subject  draft  report  and  provide  the 
following  comments! 

Page  8,  fourth  bullet,  revise  to  read,  '■'reviewed  written 
procedures  for  annuity  pay  operations." 

Inspector  General  Recommendation  1.  The  Director,  dfas 
Denver  Center  enforce  procedures  for  making  timely  reviews  on 
all  reports  containing  rejections  end  potentially  erroneous 
■transactions  generated  from  the  Defense  Retiree  and  Casualty 
Pay  subsystem. 

Response!  Concur.  The  Director,  DFAS  Denver  cantor  has 
taken  action  to  get  all  reports  reviewed  in  a  timely  manner. 

A  Management  information  System  chart  has  been  created  which 
lists  all  monthly  review?  and  the  date  each  review  was 
completed.  The  recommendation,  was  implemented  on  January  30, 
1999. 

inspector  General  Recommendation  2 a  include  supervisors 
in  the  quality  examination  program  and  require  supervisors  to 
document  reviews  of  reports  containing  rejections  and 
potentially  erroneous  transactions , 

Response!  Concur.  The  supervisors  have  alwaje  been 
included  in  the  quality  examination  program.  The  supervisors 
will  document  and  review  all  reports.  The  recommendation  was 
implemented  on  January  30,  1999. 
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?. 


If  you  have  further  questions,  please  contact  my  project 
officer,  Mr.  Fiti  Malufeu,  at  703-S07-5Q61. 
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Audit  Team  Members 


The  Finance  and  Accounting  Directorate,  Office  of  the  Assistant  Inspector 
General  for  Auditing,  DoD,  prepared  this  report. 


F.  Jay  Lane 
Kimberley  A.  Caprio 
Dennis  L.  Conway 
Shirley  Willard 
Susanne  B.  Allen 
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